Let's Encrypt

Jed Cunningham


Browser trusted certs cost $$

Let's Encrypt CA

  • Non-profit
  • Wants to increase adoption of HTTPS
  • Free, 90 day certs
    • Encourages automation for renewal
    • Less bad if key gets lost/stolen


Let's Encrypt Stats

ACME Clients

Full list

ACME spec

Automatic Certificate Management Environment (ACME)

  • Domain Validation (dns record or http resource)
  • Cert issuance/revocation


$ sudo apt-get install certbot -t jessie-backports
$ sudo certbot certonly --standalone --staging -d example.com

# /etc/letsencrypt/live/example.com/fullchain.pem


# SSL configuration
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl on;
ssl_certificate         /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key     /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers             HIGH:!aNULL:!MD5;

Check our work

Qualys SSL Labs


certbot renew

More automatic

Will even configure your webserver!

  • Apache
  • nginx

Behind firewall

  • split dns, copy cert to internal server
  • use the dns challenge with certbot

certbot certonly --manual

Note: Let's Encrypt has a public list of every cert it issued